Since OpenLDAP uses gnuTLS and Apache uses OpenSSL, it's silly to keep 2...

Since OpenLDAP uses gnuTLS and Apache uses OpenSSL, it's silly to keep 2 cipher list variables so the current (gnuTLS) cipher list variable is removed. Apache now uses HTTPS with the same key as OpenLDAP. All open ports are now rate limited.

Since OpenLDAP uses gnuTLS and Apache uses OpenSSL, it's silly to keep 2...
253ea568 · nimrod · c66be1fd · 253ea568 · 253ea568 · 253ea568
Commit 253ea568 authored 9 years ago by nimrod
--- a/README.rst
+++ b/README.rst
@@ -16,9 +16,8 @@ Role Variables
    domain: '{{ ansible_domain }}' #LDAP domain, converted to ldap formatted. Defaults to the domain name of the machine.
    basedn: #LDAP base distinguished name, defaults to machine's domain converted to LDAP format.
    password: #Password for admin account, if blank a random password will be generated and saved under files/ldap_password.
-    tls_cert: #Certificate for LDAPS, if blank the self-signed snakeoil cert is used.
+    tls_cert: #Certificate for LDAPS, if blank the self-signed snakeoil cert is used. Intermediate certs need to be included in this file.
    tls_key: #Key for LDAPS, if blank the self-signed snakeoil key is used.
-    cipherlist: #Cipher list for GnuTLS, used for LDAPS connection.
 Dependencies
 ------------

--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -5,4 +5,3 @@ organization: '{{ ansible_domain }}'
 domain: '{{ ansible_domain }}'
 basedn: 'dc={{ domain.split(".") | join(",dc=") }}'
 password: '{{ lookup("password", "ldap_password") }}'
-cipherlist: '+AES-128-GCM:+AES-256-GCM:+AES-128-CBC:+AES-256-CBC:+ECDHE-RSA:+DHE-RSA:+AEAD:+SHA1:+SHA256:+SHA384'
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -9,3 +9,8 @@
 - name: Reload UFW
  ufw:
    state: reloaded
+- name: Restart Apache
+  service:
+    name: apache2
+    state: restarted
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -64,6 +64,7 @@
    - slapd
    - phpldapadmin
    - gnutls-bin
+    - ssl-cert
 - name: Allow OpenLDAP access to the TLS key
  user:
@@ -75,12 +76,12 @@
 - name: Configure UFW
  ufw:
-    rule: allow
+    rule: '{{ item[1] }}'
-    port: '{{ item }}'
+    port: '{{ item[0] }}'
    proto: tcp
-  with_items:
+  with_nested:
-    - 22
+    - [ 22, 443, 636 ]
-    - 636
+    - [ 'allow', 'limit' ]
 - name: Configure UFW default policy
  ufw:
@@ -121,6 +122,30 @@
  notify:
    - Restart OpenLDAP
+- name: Enable mod-ssl on Apache
+  apache2_module:
+    name: ssl
+    state: present
+  notify:
+    - Restart Apache
+- name: Disable default Apache site
+  file:
+    path: /etc/apache2/sites-enabled/000-default.conf
+    state: absent
+  notify:
+    - Restart Apache
+- name: Add phpLDAPadmin Apache site
+  template:
+    src: phpmyadmin.conf.j2
+    dest: /etc/apache2/sites-enabled/phpmyadmin.conf
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - Restart Apache
 - name: Add backup cron job
  cron:
    name: OpenLDAP daily backup

--- a/templates/ldaps.ldif.j2
+++ b/templates/ldaps.ldif.j2
@@ -11,4 +11,4 @@ replace: olcTLSCertificateFile
 olcTLSCertificateFile: {{ internal_tls_cert }}
 -
 replace: olcTLSCipherSuite
-olcTLSCipherSuite: {{ cipherlist }}
+olcTLSCipherSuite: +AES-128-GCM:+AES-256-GCM:+AES-128-CBC:+AES-256-CBC:+ECDHE-RSA:+DHE-RSA:+AEAD:+SHA1:+SHA256:+SHA384
--- a/templates/phpmyadmin.conf.j2
+++ b/templates/phpmyadmin.conf.j2
+<VirtualHost _default_:443>
+    DocumentRoot            /usr/share/phpldapadmin
+    SSLEngine               on
+    SSLCertificateFile      {{ internal_tls_cert }}
+    SSLCertificateKeyFile   {{ internal_tls_key }}
+    SSLProtocol             all -SSLv2 -SSLv3
+    SSLCipherSuite          !kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:AES256+ECDH:AES128:+SHA1;
+    SSLHonorCipherOrder     on
+    SSLCompression          off
+    ErrorLog                ${APACHE_LOG_DIR}/error.log
+    CustomLog               ${APACHE_LOG_DIR}/access.log combined
+</virtualHost>